invalidate cached client tokens

2021-06-20 00:16:41 +02:00 · 2021-06-20 00:16:41 +02:00 · a2e63d82bd
parent 438c43d29f
commit a2e63d82bd
3 changed files with 30 additions and 12 deletions
--- a/app/controllers/OAuth.scala
+++ b/app/controllers/OAuth.scala
@ -105,8 +105,13 @@ final class OAuth(env: Env) extends LilaController(env) {
      revokeClientForm
        .bindFromRequest()
        .fold(
-          _ => funit,
-          origin => env.oAuth.tokenApi.revokeByClientOrigin(origin, me) // TODO: also remove from token cache
+          _ => BadRequest.fuccess,
+          origin =>
+            env.oAuth.tokenApi.revokeByClientOrigin(origin, me) map {
+              _ foreach { token =>
+                env.oAuth.server.deleteCached(token)
+              }
+            } inject NoContent
        )

    }
--- a/app/views/account/security.scala
+++ b/app/views/account/security.scala
@ -22,7 +22,7 @@ object security {
    account.layout(title = s"${u.username} - ${trans.security.txt()}", active = "security") {
      div(cls := "account security")(
        div(cls := "box")(
-          h1(trans.sessions()),
+          h1(trans.security()),
          standardFlash(cls := "box__pad"),
          div(cls := "box__pad")(
            p(
--- a/modules/oauth/src/main/AccessTokenApi.scala
+++ b/modules/oauth/src/main/AccessTokenApi.scala
@ -63,8 +63,8 @@ final class AccessTokenApi(colls: OauthColls)(implicit ec: scala.concurrent.Exec
          ) -> List(
            UnwindField(F.scopes),
            GroupField(F.clientOrigin)(
-              F.usedAt    -> MaxField(F.usedAt),
-              F.scopes    -> AddFieldToSet(F.scopes)
+              F.usedAt -> MaxField(F.usedAt),
+              F.scopes -> AddFieldToSet(F.scopes)
            ),
            Sort(Descending(F.usedAt))
          )
@ -74,21 +74,34 @@ final class AccessTokenApi(colls: OauthColls)(implicit ec: scala.concurrent.Exec
        for {
          doc    <- docs
          origin <- doc.getAsOpt[String]("_id")
-          usedAt  = doc.getAsOpt[DateTime](F.usedAt)
+          usedAt = doc.getAsOpt[DateTime](F.usedAt)
          scopes <- doc.getAsOpt[List[OAuthScope]](F.scopes)
        } yield AccessTokenApi.Client(origin, usedAt, scopes)
      }

-  def revokeByClientOrigin(clientOrigin: String, user: User): Funit =
-    colls.token {
-      _.delete
-        .one(
+  def revokeByClientOrigin(clientOrigin: String, user: User): Fu[List[AccessToken.Id]] =
+    colls.token { coll =>
+      coll
+        .find(
          $doc(
            F.userId       -> user.id,
            F.clientOrigin -> clientOrigin
-          )
+          ),
+          $doc(F.id -> 1).some
        )
-        .void
+        .sort($sort desc F.usedAt)
+        .cursor[Bdoc]()
+        .list(100)
+        .flatMap { invalidate =>
+          coll.delete
+            .one(
+              $doc(
+                F.userId       -> user.id,
+                F.clientOrigin -> clientOrigin
+              )
+            )
+            .inject(invalidate.flatMap(_.getAsOpt[AccessToken.Id](F.id)))
+        }
    }

  def revokeByPublicId(publicId: String, user: User): Fu[Option[AccessToken]] =